COMMENTARY: Every October around Halloween, we’re reminded that what’s truly frightening often hides in plain sight — this rings especially true for modern-day cybersecurity pros.
The scariest industry developments aren’t happening in the shadows of the dark web: they’re emerging from
Generative AI (GenAI) operating in broad daylight.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
In the past year, the rapid democratization of AI has opened the door for a new class of haunting threats. Malware creation, once a domain requiring deep expertise and significant time, now gets automated in mere seconds. It’s no longer about who has the most sophisticated tools, but who can leverage AI the fastest — and the current advantage favors the bad actors.
It’s like a haunted house gone wrong, and the monsters are in control.
The low barrier to malware creation
Our team
recently showed that
large language models (LLMs) can generate fully-executable ransomware code in under 30 seconds. These aren’t proof-of-concept snippets — they’re functional attacks capable of encryption, evasion, and persistence.
This speed fundamentally changes the calculus of threat creation. A task that took days or weeks of skilled development now takes moments, and iteration happens just as fast. As we move further towards a data economy, the stakes for organizations are higher than ever, while attackers’ technical bar for entry falls.
The implications should put everyone on notice.
ForeScout researchers recently reported that 55% of AI models failed to create working exploits, which was presented as a win. They argued: “vibe hacking hasn’t caught up with vibe coding.”
I see it differently — it’s more trick than treat. It really means that 45% of AI models succeeded in generating exploits. That’s a significant problem in cybersecurity, especially since attackers only need one success to cause damage. Automated malware generation has arrived. It’s operational, and that’s really frightening.
Why “good enough” defenses don’t work anymore
Traditional detection-based defenses, which I’d actually call legacy at this point, including those reliant on signatures, heuristics, and behavioral learning, are designed to identify known or previously observed threats. But AI-generated attacks are, by nature, never-before-seen threats.
During our demo, we uploaded newly created malware to VirusTotal. Eight vendors flagged it, while 65 did not. If this were a real-world specimen, 89% of security tools would have let the unknown variant waltz right in. When we recompiled the code in a different language, more vendors caught it. Unfortunately, it was a completely different set of vendors than the first version of the attack.
This underscores a terrifying reality: reactive defenses cannot scale to match the velocity or diversity of new, AI-generated threats. Each variant behaves just differently enough to evade what came before, turning every mutation into a zero-day.
With GenAI, attackers no longer need to write one piece of malware and hope it succeeds. They can now generate hundreds of permutations automatically, each slightly altered in structure or behavior.
In a separate experiment, I tested this in a controlled lab environment. Over a 24-hour period, I created more than 700 distinct variants of a single exploit using AI-assisted automation. Each variant was tested, refined, and redeployed — faster than any human-led detection pipeline could adapt.
And, like ghosts, each bypassed the antivirus technologies that were protecting my test environment.
Seven hundred variants in one day. And hackers only need one to succeed. That’s troubling for any cybersecurity pro already grappling with known threats.
Welcome to the new arms race. The difference isn’t just sophistication — it’s speed. The adversarial advantage now lies in how quickly attackers can iterate. Defenders cannot respond quickly enough.
The path forward: from reaction to prediction
Most AI tools in cybersecurity today are retrospective — they excel at analyzing and explaining breaches after they occur. It doesn’t require much sophistication to say, “the criminal probably came in through an unlocked window.” While it’s important to know the hackers will target defensive gaps, it’s no longer sufficient for prevention.
Preemptive security requires the ability to identify attacks before they break in, before remediation is required, using pre-execution analysis and predictive modeling to identify malicious intent and close gaps before code runs. The team must move beyond traditional machine learning-based tools toward more intelligent, advanced models that can interpret data contextually and autonomously, without relying on known signatures or post-event telemetry.
We don’t just want rapid detection, but prevention at scale. And even more, understanding at speed: defenders need the ability to explain in real-time why a given file, script, or process can harm the company — before damage occurs. It’s like understanding exactly how the haunted house will work — in every room, around every corner, and in the dark — ultimately minimizing the risk.
The rise of AI-driven threat generation should serve as a wake-up call across the industry. Adversaries have already embraced automation, iteration, and self-learning systems. Defensive technologies must evolve at the same pace, or even faster.
That means rethinking how we define “real-time” detection, investing in AI explainability to empower analysts, and shift our focus from post-breach forensics to preemptive prevention.
Cybersecurity has always been dynamic, but we’ve never seen anything like AI before. The organizations that adapt will survive. Those that don’t may find themselves outpaced — not by human adversaries, but by automated algorithms that never rest.
Brian Black, head of security engineering, Deep InstinctSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
